1. Web Security Academy
  2. Access control
  3. Lab

Lab: User role controlled by request parameter


This lab has an admin panel at /admin, which identifies administrators using a forgeable cookie.

Solve the lab by accessing the admin panel and using it to delete the user carlos.

You have an account on the application that you can use to help design your attack. The credentials are: wiener:peter.